Difference between revisions of "NginX"
Plittlefield (talk | contribs) |
Plittlefield (talk | contribs) |
||
(27 intermediate revisions by the same user not shown) | |||
Line 9: | Line 9: | ||
'''NEW''' | '''NEW''' | ||
− | sudo apt install curl gnupg2 ca-certificates lsb-release | + | #!/bin/bash |
− | echo "deb <nowiki>http://nginx.org/packages/ubuntu</nowiki> `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list | + | sudo apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring -y && \ |
− | echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | sudo tee /etc/apt/preferences.d/99nginx | + | curl <nowiki>https://nginx.org/keys/nginx_signing.key</nowiki> | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \ |
− | curl -s -o /tmp/nginx_signing.key <nowiki>https://nginx.org/keys/nginx_signing.key</nowiki> | + | echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] <nowiki>http://nginx.org/packages/ubuntu</nowiki> `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list && \ |
− | sudo | + | echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | sudo tee /etc/apt/preferences.d/99nginx && \ |
− | + | curl -s -o /tmp/nginx_signing.key <nowiki>https://nginx.org/keys/nginx_signing.key</nowiki> && \ | |
− | + | sudo apt update -y && \ | |
− | + | sudo apt install nginx -y && \ | |
+ | nginx -t && \ | ||
+ | nginx -V && \ | ||
+ | exit; | ||
+ | |||
+ | Then, edit the SystemD file to add a sleep command ... | ||
+ | |||
+ | <code>/lib/systemd/system/nginx.service</code> | ||
+ | |||
+ | [Unit] | ||
+ | Description=nginx - high performance web server | ||
+ | Documentation=<nowiki>https://nginx.org/en/docs/</nowiki> | ||
+ | After=network-online.target remote-fs.target nss-lookup.target | ||
+ | Wants=network-online.target | ||
+ | |||
+ | [Service] | ||
+ | Type=forking | ||
+ | PIDFile=/var/run/nginx.pid | ||
+ | ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf | ||
+ | '''ExecStartPost=/bin/sleep 0.5''' | ||
+ | ExecReload=/bin/sh -c "/bin/kill -s HUP $(/bin/cat /var/run/nginx.pid)" | ||
+ | ExecStop=/bin/sh -c "/bin/kill -s TERM $(/bin/cat /var/run/nginx.pid)" | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
https://nginx.org/en/linux_packages.html#Ubuntu | https://nginx.org/en/linux_packages.html#Ubuntu | ||
+ | |||
'''OLD''' | '''OLD''' | ||
Line 32: | Line 57: | ||
== HOWTOS == | == HOWTOS == | ||
+ | |||
+ | === Performance === | ||
+ | |||
+ | ==== GZip Compression ==== | ||
+ | |||
+ | To set ... | ||
+ | |||
+ | <code>/etc/nginx/conf.d/web_site.conf</code> | ||
+ | |||
+ | # Gzip compression | ||
+ | gzip on; | ||
+ | gzip_vary on; | ||
+ | gzip_min_length 1000; | ||
+ | gzip_comp_level 5; | ||
+ | gzip_types application/json text/css application/x-javascript application/javascript image/svg+xml; | ||
+ | gzip_proxied any; | ||
+ | |||
+ | To test... | ||
+ | |||
+ | curl -H "Accept-Encoding: gzip" -I <nowiki>https://www.domain.co.uk/</nowiki> | ||
+ | |||
+ | ==== Browser File Caching ==== | ||
+ | |||
+ | To set ... | ||
+ | |||
+ | <code>/etc/nginx/conf.d/web_site.conf</code> | ||
+ | |||
+ | # Caching | ||
+ | location ~* \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ { | ||
+ | access_log off; | ||
+ | log_not_found off; | ||
+ | expires 360d; | ||
+ | add_header Access-Control-Allow-Origin *; | ||
+ | add_header Pragma public; | ||
+ | add_header Cache-Control "public, must-validate"; | ||
+ | } | ||
+ | |||
+ | To test, first get the Entity Tag (etag) number and then use that ... | ||
+ | |||
+ | curl -I <nowiki>https://www.domain.co.uk/index.html</nowiki> | ||
+ | HTTP/2 200 | ||
+ | server: nginx/1.22.1 | ||
+ | date: Sun, 13 Nov 2022 12:56:15 GMT | ||
+ | content-type: text/html | ||
+ | content-length: 11 | ||
+ | last-modified: Fri, 11 Nov 2022 13:04:22 GMT | ||
+ | '''etag: "636e4856-b"''' | ||
+ | accept-ranges: bytes | ||
+ | |||
+ | curl -I -H 'If-None-Match: "636e4856-b"' <nowiki>https://www.domain.co.uk/index.html</nowiki> | ||
+ | '''HTTP/2 304 Not Modified''' | ||
+ | server: nginx/1.22.1 | ||
+ | date: Sun, 13 Nov 2022 12:59:23 GMT | ||
+ | last-modified: Fri, 11 Nov 2022 13:04:22 GMT | ||
+ | etag: "636e4856-b" | ||
+ | |||
+ | This means, it is working :) | ||
+ | |||
+ | [https://www.nginx.com/blog/rate-limiting-nginx/ Rate Limiting] | ||
[https://www.upguard.com/blog/how-to-build-a-tough-nginx-server-in-15-steps Security Hardening] | [https://www.upguard.com/blog/how-to-build-a-tough-nginx-server-in-15-steps Security Hardening] | ||
Line 44: | Line 128: | ||
[https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04 How To Secure Nginx with Let's Encrypt] | [https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04 How To Secure Nginx with Let's Encrypt] | ||
+ | |||
+ | [https://www.linuxbabe.com/nginx/setup-nginx-fastcgi-cache Set Up Nginx FastCGI Cache to Reduce WordPress Server Response Time] | ||
== Monitoring == | == Monitoring == | ||
− | https://amplify.nginx.com/ | + | [https://github.com/lebinh/ngxtop NGXtop] |
+ | |||
+ | [https://amplify.nginx.com/ Amplify] | ||
+ | |||
+ | == HTTP/3 == | ||
+ | |||
+ | HTTP/3 is only available on secure connections so you have to set up an SSL Certificate and add the following lines to your server block:- | ||
+ | |||
+ | listen [::]:443 ssl; | ||
+ | listen 443 ssl; | ||
+ | http3 on; | ||
== HTTP/2 == | == HTTP/2 == | ||
− | + | HTTP/2 is only available on secure connections so you have to set up an SSL Certificate and add the following lines to your server block:- | |
+ | |||
+ | listen [::]:443 ssl; | ||
+ | listen 443 ssl; | ||
+ | http2 on; | ||
== Redirect HTTP to HTTPS == | == Redirect HTTP to HTTPS == | ||
Line 65: | Line 165: | ||
https://nginx.org/en/docs/ | https://nginx.org/en/docs/ | ||
+ | |||
+ | == Directory Index Time == | ||
+ | |||
+ | By default, nginx outputs the directory index in UTC time. If you want it to display the time in your local timezone, you should set the autoindex_localtime directive to on... | ||
+ | |||
+ | autoindex_localtime on | ||
+ | |||
+ | https://stackoverflow.com/questions/53670557/nginx-shows-wrong-time-timezone | ||
== Fixes == | == Fixes == | ||
+ | |||
+ | === Request Entity Too Large === | ||
+ | |||
+ | <code>/etc/nginx/nginx.conf</code> or <code>/etc/nginx/conf.d/my_site.conf</code> | ||
+ | |||
+ | server { | ||
+ | ... | ||
+ | # Fix file upload size | ||
+ | client_max_body_size 10M; | ||
+ | ... | ||
+ | } | ||
+ | |||
+ | <code>/etc/php/x.x/php-fpm/php.ini</code> | ||
+ | |||
+ | ;This sets the maximum amount of memory in bytes that a script is allowed to allocate | ||
+ | memory_limit = 32M | ||
+ | |||
+ | ;The maximum size of an uploaded file. | ||
+ | upload_max_filesize = 10M | ||
+ | |||
+ | ;Sets max size of post data allowed. This setting also affects file upload. To upload large files, this value must be larger than upload_max_filesize | ||
+ | post_max_size = 12M | ||
+ | |||
+ | https://www.cyberciti.biz/faq/linux-unix-bsd-nginx-413-request-entity-too-large/ | ||
=== nginx: [emerg] duplicate listen options for [::]:443 === | === nginx: [emerg] duplicate listen options for [::]:443 === |
Latest revision as of 16:30, 21 July 2024
Introduction
NginX is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Igor Sysoev and first publicly released in 2004.
Installation
NEW
#!/bin/bash sudo apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring -y && \ curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null && \ echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list && \ echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | sudo tee /etc/apt/preferences.d/99nginx && \ curl -s -o /tmp/nginx_signing.key https://nginx.org/keys/nginx_signing.key && \ sudo apt update -y && \ sudo apt install nginx -y && \ nginx -t && \ nginx -V && \ exit;
Then, edit the SystemD file to add a sleep command ...
/lib/systemd/system/nginx.service
[Unit] Description=nginx - high performance web server Documentation=https://nginx.org/en/docs/ After=network-online.target remote-fs.target nss-lookup.target Wants=network-online.target [Service] Type=forking PIDFile=/var/run/nginx.pid ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf ExecStartPost=/bin/sleep 0.5 ExecReload=/bin/sh -c "/bin/kill -s HUP $(/bin/cat /var/run/nginx.pid)" ExecStop=/bin/sh -c "/bin/kill -s TERM $(/bin/cat /var/run/nginx.pid)" [Install] WantedBy=multi-user.target
https://nginx.org/en/linux_packages.html#Ubuntu
OLD
https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/
This will install the latest NginX server and also the OpenSSL and OpenSSL libraries.
sudo add-apt-repository ppa:ondrej/nginx sudo apt-get -y update sudo apt-get -y dist-upgrade sudo apt-get -y install nginx-full openssl libssl1.1
HOWTOS
Performance
GZip Compression
To set ...
/etc/nginx/conf.d/web_site.conf
# Gzip compression gzip on; gzip_vary on; gzip_min_length 1000; gzip_comp_level 5; gzip_types application/json text/css application/x-javascript application/javascript image/svg+xml; gzip_proxied any;
To test...
curl -H "Accept-Encoding: gzip" -I https://www.domain.co.uk/
Browser File Caching
To set ...
/etc/nginx/conf.d/web_site.conf
# Caching location ~* \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ { access_log off; log_not_found off; expires 360d; add_header Access-Control-Allow-Origin *; add_header Pragma public; add_header Cache-Control "public, must-validate"; }
To test, first get the Entity Tag (etag) number and then use that ...
curl -I https://www.domain.co.uk/index.html HTTP/2 200 server: nginx/1.22.1 date: Sun, 13 Nov 2022 12:56:15 GMT content-type: text/html content-length: 11 last-modified: Fri, 11 Nov 2022 13:04:22 GMT etag: "636e4856-b" accept-ranges: bytes
curl -I -H 'If-None-Match: "636e4856-b"' https://www.domain.co.uk/index.html HTTP/2 304 Not Modified server: nginx/1.22.1 date: Sun, 13 Nov 2022 12:59:23 GMT last-modified: Fri, 11 Nov 2022 13:04:22 GMT etag: "636e4856-b"
This means, it is working :)
Fix 502 Bad Gateway Error - check nginx is running as user 'www-data'
How To Create a Self-Signed SSL Certificate for Nginx
How To Set Up Nginx with HTTP/2 Support
How To Set Up Nginx Server Blocks Virtual Hosts
How To Secure Nginx with Let's Encrypt
Set Up Nginx FastCGI Cache to Reduce WordPress Server Response Time
Monitoring
HTTP/3
HTTP/3 is only available on secure connections so you have to set up an SSL Certificate and add the following lines to your server block:-
listen [::]:443 ssl; listen 443 ssl; http3 on;
HTTP/2
HTTP/2 is only available on secure connections so you have to set up an SSL Certificate and add the following lines to your server block:-
listen [::]:443 ssl; listen 443 ssl; http2 on;
Redirect HTTP to HTTPS
# redirect to https server { listen 80 default_server; server_name _; return 301 https://$host$request_uri; }
Documentation
Directory Index Time
By default, nginx outputs the directory index in UTC time. If you want it to display the time in your local timezone, you should set the autoindex_localtime directive to on...
autoindex_localtime on
https://stackoverflow.com/questions/53670557/nginx-shows-wrong-time-timezone
Fixes
Request Entity Too Large
/etc/nginx/nginx.conf
or /etc/nginx/conf.d/my_site.conf
server { ... # Fix file upload size client_max_body_size 10M; ... }
/etc/php/x.x/php-fpm/php.ini
;This sets the maximum amount of memory in bytes that a script is allowed to allocate memory_limit = 32M ;The maximum size of an uploaded file. upload_max_filesize = 10M ;Sets max size of post data allowed. This setting also affects file upload. To upload large files, this value must be larger than upload_max_filesize post_max_size = 12M
https://www.cyberciti.biz/faq/linux-unix-bsd-nginx-413-request-entity-too-large/
nginx: [emerg] duplicate listen options for [::]:443
Remove the ipv6only=on directive in your virtual host config files...
# listen [::]:443 ssl http2 ipv6only=on; listen [::]:443 ssl http2; listen 443 ssl http2; ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem;